PHP :: Bug #43136 :: possible crash on script execution timeout

Bug #43136	possible crash on script execution timeout
Submitted:	2007-10-30 08:45 UTC	Modified:	2007-11-20 09:57 UTC
From:	tony2001@php.net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	4.4.7	OS:	Linux 64bit
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	tony2001@php.net
New email:
PHP Version:		OS:

New Comment:

[2007-10-30 08:45 UTC] tony2001@php.net

Description:
------------
The crash is really rare, but seems to be possible.
According to the core, it happened when script execution timed out and active_opline pointer was NULL at that moment, so zend_get_executed_lineno() tried to dereference NULL ptr.
Even though the backtrace mentions Zend Opimizer, it doesn't seem to be required to reproduce the crash and it is not PHP4 specific.

Reproduce code:
---------------
.

Expected result:
----------------
.

Actual result:
--------------
(gdb) bt
#0  0x000000000052d7d1 in zend_get_executed_lineno () at /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c:269
#1  0x0000000000536c4b in zend_error (type=1, format=0x6ce4b8 "Maximum execution time of %d second%s exceeded")
    at /shared/misc/standard/php.src/php-4.4.7/Zend/zend.c:760
#2  <signal handler called>
#3  0x0000002a97194f2b in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#4  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#5  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#6  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#7  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#8  0x00000000005365bf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /shared/misc/standard/php.src/php-4.4.7/Zend/zend.c:939
#9  0x00000000004fe699 in php_execute_script (primary_file=0x7fbffffb20) at /shared/misc/standard/php.src/php-4.4.7/main/main.c:1784
#10 0x0000000000557bfd in main (argc=5, argv=0x7fbffffc78) at /shared/misc/standard/php.src/php-4.4.7/sapi/cgi/cgi_main.c:2236

Further investigation has shown that active_opline is NULL:
(gdb) f 0
#0  0x000000000052d7d1 in zend_get_executed_lineno () at /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c:269
269     /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c: No such file or directory.
        in /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c
(gdb) p executor_globals.opline_ptr
$3 = (zend_op **) 0x7fbfff9510
(gdb) p *executor_globals.opline_ptr
$4 = (zend_op *) 0x0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-10-30 08:47 UTC] tony2001@php.net

Assigning to Dmitry at his request.

[2007-11-08 12:54 UTC] dmitry@php.net

Probably the crash occurs because of wrong value in EG(opline_ptr).

In zend_do_fcall_common_helper() EG(opline_ptr) is inconsistent after call to zend_execute() and restoring it by EG(opline_ptr) = &EX(opline);

If the timeout occurs while EG(opline_ptr) is inconsistent, it may crash php.

EG(active_op_array) has exactly the same problem.

[2007-11-20 09:57 UTC] dmitry@php.net

Fixed in CVS HEAD and PHP_5_3.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Jul 05 04:01:35 2025 UTC